## Periodic Reporting for period 4 - MPCPRO (Better MPC Protocols in Theory and in Practice)

Reporting period: 2020-04-01 to 2021-03-31

The classical formulation of the Multiparty Computation (MPC) problem considers n players. Each player holds some private input data, and the goal is to design a protocol that the players can execute to compute some output that depends on all n inputs. This should be done in such a way that we can make sure the result is correct, and that the result is the only new information that is released, i.e. we want to keep the inputs as confidential as possible. A simple example of this is the voting problem: each player secretly votes yes or no, and we want to find the total number of yes (and no) votes without revealing how each individual player voted.

It is an important goal for MPC protocols to maintain correctness and privacy even if some of the players collude - in order to learn more than they are supposed to, or make the result be incorrect. Such a collusion could also result from an external adversary breaking into some of the computers that form the system. After this point, the corrupted machines follow a common strategy dictated by the adversary. MPC protocols are known that allows us in principle to carry out any computation securely, using various cryptographic techniques, and this opens the door to a very large number of potential applications. Examples include:

1) Auctions or procurement where players input bids and we want to find the winning bid - without compromising the privacy of the loosing players.

2) Confidential benchmarking where several companies in the same line of business want to compare their performance - without revealing data on their own business to the competitors.

3) Secure data mining where the goal is to extract statistics from several databases that hold personal information - without breaking privacy regulations by giving a single party access to all the data.

As illustrated by the examples, MPC can be seen as an enabling technology that allows us to build systems that could otherwise not be used for lack of privacy guarantees. Moreover, this type of distributed systems, where data can only be stolen by breaking into almost all the machines, seems to be one of the only viable defenses against organized hacking and hostile intelligence services.

However, we still have a long way to go before secure computation can be used in large-scale applications: despite a very rapid improvement of the efficiency of MPC over the last 15 years, the performance of the best MPC protocol is currently roughly comparable to that of the Intel 80386 processor from the 90-ties. While further improvement is desirable, we do not understand very well the limitations on how efficient MPC can be.

To address these challenges, the MPCPRO project consist of three subprojects:

1) Implementation of protocols and a new theory for their performance

2) Development of new and more efficient MPC protocols

3) Lower bounds for performance of MPC.

It is an important goal for MPC protocols to maintain correctness and privacy even if some of the players collude - in order to learn more than they are supposed to, or make the result be incorrect. Such a collusion could also result from an external adversary breaking into some of the computers that form the system. After this point, the corrupted machines follow a common strategy dictated by the adversary. MPC protocols are known that allows us in principle to carry out any computation securely, using various cryptographic techniques, and this opens the door to a very large number of potential applications. Examples include:

1) Auctions or procurement where players input bids and we want to find the winning bid - without compromising the privacy of the loosing players.

2) Confidential benchmarking where several companies in the same line of business want to compare their performance - without revealing data on their own business to the competitors.

3) Secure data mining where the goal is to extract statistics from several databases that hold personal information - without breaking privacy regulations by giving a single party access to all the data.

As illustrated by the examples, MPC can be seen as an enabling technology that allows us to build systems that could otherwise not be used for lack of privacy guarantees. Moreover, this type of distributed systems, where data can only be stolen by breaking into almost all the machines, seems to be one of the only viable defenses against organized hacking and hostile intelligence services.

However, we still have a long way to go before secure computation can be used in large-scale applications: despite a very rapid improvement of the efficiency of MPC over the last 15 years, the performance of the best MPC protocol is currently roughly comparable to that of the Intel 80386 processor from the 90-ties. While further improvement is desirable, we do not understand very well the limitations on how efficient MPC can be.

To address these challenges, the MPCPRO project consist of three subprojects:

1) Implementation of protocols and a new theory for their performance

2) Development of new and more efficient MPC protocols

3) Lower bounds for performance of MPC.

During the project, work has been performed on all three sub-projects. We give some concrete and important examples of published work from the project.

•Ivan Damgård, Kasper Damgård, Kurt Nielsen, Peter Sebastian Nordholt, Tomas Toft: Confidential Benchmarking Based on Multiparty Computation. Proceedings of Financial Cryptography 2017.

This result falls in sub-project 1. We implemented and optimized a well-known MPC protocol for use in confidential benchmarking, where the idea is that a bank customer can be scored w.r.t. credit worthiness based on a large database containing data on his peers. The database learns nothing on the customer and the bank learns nothing except the score of the customer. This gets around legislation that would prevent the bank from getting access to the database and the database from learning the identity of the customer. It is shown that linear programming can be done inside MPC to solve the problem efficiently enough for practical use.

• Ivan Damgård, Kasper Green Larsen, Jesper Buus Nielsen: Communication Lower Bounds for Statistically Secure MPC, With or Without Preprocessing. Proceedings of CRYPTO 2019.

In this work, we show very general lower bounds, that hold for any unconditionally secure MPC protocol. The bounds demonstrate, for the first time, that doing information theoretically secure MPC must incur a communication overhead compared to doing the same computation without security. They also show that the best-known general methods have optimal communication complexity.

•Ivan Damgård, Jesper Buus Nielsen, Michael Nielsen, Samuel Ranellucci: The TinyTable Protocol for 2-Party Secure Computation, or: Gate-Scrambling Revisited. Proceedings of CRYPTO 2017.

In this work, we present a new approach to secure computation of Boolean circuits in the preprocessing model, based on precomputation of a table for each gate in the circuit. This is by far the simplest protocol in this model so far, and we obtain an implementation of secure computation of AES encryption that has the fastest amortized performance so far. We also obtain the best-known asymptotic complexity for secure computation of general Boolean circuits.

•Ivan Damgård, Kasper Damgård, Kurt Nielsen, Peter Sebastian Nordholt, Tomas Toft: Confidential Benchmarking Based on Multiparty Computation. Proceedings of Financial Cryptography 2017.

This result falls in sub-project 1. We implemented and optimized a well-known MPC protocol for use in confidential benchmarking, where the idea is that a bank customer can be scored w.r.t. credit worthiness based on a large database containing data on his peers. The database learns nothing on the customer and the bank learns nothing except the score of the customer. This gets around legislation that would prevent the bank from getting access to the database and the database from learning the identity of the customer. It is shown that linear programming can be done inside MPC to solve the problem efficiently enough for practical use.

• Ivan Damgård, Kasper Green Larsen, Jesper Buus Nielsen: Communication Lower Bounds for Statistically Secure MPC, With or Without Preprocessing. Proceedings of CRYPTO 2019.

In this work, we show very general lower bounds, that hold for any unconditionally secure MPC protocol. The bounds demonstrate, for the first time, that doing information theoretically secure MPC must incur a communication overhead compared to doing the same computation without security. They also show that the best-known general methods have optimal communication complexity.

•Ivan Damgård, Jesper Buus Nielsen, Michael Nielsen, Samuel Ranellucci: The TinyTable Protocol for 2-Party Secure Computation, or: Gate-Scrambling Revisited. Proceedings of CRYPTO 2017.

In this work, we present a new approach to secure computation of Boolean circuits in the preprocessing model, based on precomputation of a table for each gate in the circuit. This is by far the simplest protocol in this model so far, and we obtain an implementation of secure computation of AES encryption that has the fastest amortized performance so far. We also obtain the best-known asymptotic complexity for secure computation of general Boolean circuits.

In the first half of the project, we have advanced state of the art very significantly in subproject 3. We have shown fundamental limitations on the amount of communication you must use to obtain information theoretically secure MPC and that hence the best-known solutions are essentially the best we can hope for.

In terms of design and implementation of MPC protocols we have also advanced state of the art significantly, for instance by setting a new world record for speed of secure AES computation. We have also shown that the fast arithmetic used in computer CPUs can be implemented much more directly in MPC than was previously known, which implies significant efficiency improvements.

In terms of design and implementation of MPC protocols we have also advanced state of the art significantly, for instance by setting a new world record for speed of secure AES computation. We have also shown that the fast arithmetic used in computer CPUs can be implemented much more directly in MPC than was previously known, which implies significant efficiency improvements.